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February  23, 2006 

MEMORANDUM  FOR  ASSISTANT  SECRETARY  OF  THE  AIR  FORCE  FOR 

FINANCIAL  MANAGEMENT  AND  COMPTROLLER 
NAVAL  INSPECTOR  GENERAL 
AUDITOR  GENERAL,  DEPARTMENT  OF  THE  ARMY 


SUBJECT:  Report  on  DoD  Organization  Information  Assurance  Management  of 

Information  Technology  Goods  and  Services  Acquired  Through  Interagency 
Agreements  (Report  No.  D-2006-052) 


We  are  providing  this  report  for  review  and  comment.  We  considered 
management  comments  on  a  draft  of  this  report  when  preparing  the  final  report. 

DoD  Directive  7650.3  requires  that  all  recommendations  be  resolved  promptly. 
The  Space  and  Naval  Warfare  Systems  Command  comments  were  not  responsive.  We 
request  additional  comments  on  Recommendations  2.a.  and  2.b.  Additionally,  the 
U.S.  Army  Reserve  Command  commented  on  the  findings,  but  did  not  provide  comments 
on  Recommendation  1.  We  ask  that  both  organizations  provide  comments  addressing 
these  recommendations  by  April  24, 2006. 

If  possible,  please  send  management  comments  in  electronic  format  (Adobe 
Acrobat  file  only)  to  AudATM@dodig.mil.  Copies  of  the  management  comments  must 
contain  the  actual  signature  of  the  authorizing  official.  We  cannot  accept  the  /  Signed  / 
symbol  in  place  of  the  actual  signature.  If  you  arrange  to  send  classified  comments 
electronically,  they  must  be  sent  over  the  SECRET  Internet  Protocol  Router  Network 
(SIPRNET). 

We  appreciate  the  courtesies  extended  to  the  staff.  Questions  should  be  directed 
to  Ms.  Jacqueline  L.  Wicecarver  at  (703)  604-9077  (DSN  664-9077)  or  Ms.  Therese  M. 
Kince  at  (703)  604-9060  (DSN  664-9060).  The  team  members  are  listed  inside  the  back 
cover.  See  Appendix  C  for  the  report  distribution. 

By  direction  of  the  Deputy  Inspector  General  for  Auditing: 


Richard  B.  Joluffe 
Assistant  Inspector  General 
Acquisition  and  Contract  Management 


Department  of  Defense  Office  of  Inspector  General 


Report  Number  D-2006-052 

(Project  No.  D2005-D000AS-0173) 


February  23,  2006 


DoD  Organization  Information  Assurance  Management  of  Information 
Technology  Goods  and  Services  Acquired 
Through  Interagency  Agreements 


Executive  Summary 


Who  Should  Read  This  Report  and  Why?  Chief  information  officers  within  DoD  and 
individuals  responsible  for  DoD  Component  information  assurance  should  read  this 
report  because  it  contains  information  on  properly  securing  information  technology 
goods  and  services  purchased  through  interagency  agreements. 

Background.  Many  Federal  agencies,  including  DoD,  are  now  making  greater  use  of 
interagency  agreements  to  improve  the  Government’s  aggregate  buying  power  and 
simplify  the  procurement  process.  The  information  technology  goods  and  services 
purchased  through  these  agreements  do  not  stand  alone,  but  instead  are  part  of  the 
seamless  web  of  communications  networks,  computers,  software,  databases,  applications, 
security  services,  and  other  capabilities  used  by  DoD.  As  a  result,  infonnation  assurance 
is  an  important  aspect  of  any  DoD  information  system,  no  matter  how  the  system 
components  or  services  are  acquired,  whether  through  traditional  acquisitions  or 
interagency  agreements. 

DoD  Components  are  required  to  implement  and  maintain  adequate  security  programs 
that  include  the  minimum  information  assurance  controls  outlined  in  DoD 
Instruction  8500.2,  “Information  Assurance  (IA)  Implementation,”  February  6,  2003,  for 
all  DoD  information  systems.  Army,  Navy,  and  Air  Force  chief  information  officers  rely 
on  subordinate  command  chief  information  officers  to  follow  this  guidance  for  all 
information  systems,  including  those  acquired  through  interagency  agreements. 
Additionally,  the  National  Institute  of  Standards  and  Technology  Special  Publication 
800-12,  “An  Introduction  to  Computer  Security,”  October  1995,  recommends  monitoring 
procedures  for  tracking  user  activity  on  DoD  systems  and  networks. 

Results.  Officials  at  four  DoD  organizations  within  the  Army,  Navy,  and  Air  Force  did 
not  fully  implement  comprehensive  information  assurance  controls  required  to  protect 
DoD  information.  Specifically,  organization  users  were  granted  access  to  DoD  systems 
prior  to  receiving  infonnation  assurance  training,  user  security  clearances  were  not 
verified,  and  user  activity  reviews  were  not  conducted.  As  a  result,  the  integrity, 
confidentiality,  and  availability  of  DoD  operational  data  and  infonnation  technology 
systems  cannot  be  guaranteed.  See  the  Finding  section  of  the  report  for  the  detailed 
recommendations.  The  U.S.  Army  Reserve  Command  and  Space  and  Naval  Warfare 
Systems  Command  (including  the  Space  and  Naval  Warfare  Systems  Center  San  Diego) 
management  controls  for  coordinating,  documenting,  and  tracking  information  assurance 
training  completion  were  not  adequate  to  ensure  that  training  was  provided  to  all 
personnel  and  the  management  controls  for  verifying  user  security  clearances  were  not 


adequate  to  ensure  that  access  was  granted  to  the  appropriate  personnel.  The  Air  and 
Space  Expeditionary  Force  Center  management  controls  for  monitoring  user  activity 
were  not  adequate  to  detect,  report,  and  document  attempted  or  realized  penetrations  of 
information  systems.  Implementing  the  recommendations  will  correct  the  identified 
weaknesses. 

Management  Comments  and  Audit  Response.  The  Commander,  U.S.  Anny  Reserve 
Command  responded  to  the  findings  in  the  draft  of  this  report,  but  did  not  respond  to  the 
recommendations.  The  U.S.  Army  Reserve  Command  should  provide  comments  on  the 
final  report  by  April  24,  2006.  The  Commander,  Space  and  Naval  Warfare  Systems 
Command  and  the  Commander,  Space  and  Naval  Warfare  Systems  Center  San  Diego 
concurred  with  two  of  the  recommendations  and  were  not  responsive  to  two  of  the 
recommendations.  We  do  not  agree  that  there  is  a  clear  procedure  for  ensuring  that 
information  assurance  awareness  training  is  properly  documented  and  tracked  for  all 
personnel.  The  Commander,  Air  and  Space  Expeditionary  Force  Center  concurred  with 
the  recommendations;  therefore  no  further  comments  are  required.  See  the  Finding 
section  of  the  report  for  a  discussion  of  management  comments  and  the  Management 
Comments  section  of  the  report  for  the  complete  text  of  the  comments. 
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Background 


Interagency  Agreements.  Many  Federal  agencies  are  now  making  greater  use  of 
interagency  agreements  to  purchase  commonly  used  goods1  and  services,2 
including  information  technology  (IT),  thereby  improving  the  Government's 
aggregate  buying  power  and  simplifying  the  procurement  process.  The  IT  goods 
and  services  purchased  through  these  agreements  do  not  stand  alone,  but  instead 
are  part  of  the  DoD  communications  networks,  computers,  software,  databases, 
applications,  and  security  services.  Information  assurance  (IA)  is  an  important 
aspect  of  all  DoD  information  systems,  no  matter  how  the  system  components  or 
services  are  acquired,  whether  through  traditional  acquisitions  or  interagency 
agreements. 

Information  Assurance.  DoD  Instruction  8500.2,  “Information  Assurance  (IA) 
Implementation,”  February  6,  2003,  states  that  each  DoD  Component  is 
responsible  for  implementing  and  maintaining  an  adequate  security  program  for 
information  and  IT  assets  that  includes  an  IA  architecture,  a  supporting  master 
plan,  clear  assignment  of  organizational  roles  and  responsibilities,  and  for 
developing  and  managing  a  professional  IA  workforce. 

Command  Roles  and  Responsibilities.  DoD  Directive  8500.1,  “Information 
Assurance  (IA),”  October  24,  2002,  certified  current  as  of  November  21,  2003, 
directs  the  Assistant  Secretary  of  Defense  for  Networks  and  Information 
Integration,  as  the  DoD  Chief  Information  Officer  (CIO),  to  monitor  and  evaluate 
IA  by  developing  guidance  and  annually  evaluating  DoD  Component  readiness. 
Further,  DoD  Directive  8500.1  requires  DoD  Component  heads  to  develop  and 
implement  Component-specific  IA  programs  and  provide  IA  awareness  training 
to  all  Component  personnel.  Army,  Navy,  and  Air  Force  CIOs  rely  on 
subordinate  organization  CIOs  to  follow  this  guidance  for  all  information 
systems,  including  those  acquired  through  interagency  agreements.  As  such,  we 
focused  on  IA  policy  and  guidance  implementation  at  several  Anny,  Navy,  and 
Air  Force  organizations  to  assess  the  overall  effectiveness  of  the  DoD  and  Service 
CIO  management  of  IA  controls  over  IT  goods  and  services  obtained  through 
interagency  agreements.  DoD  Instruction  8500.2  establishes  a  baseline  IA  level 
for  all  DoD  information  systems  through  the  assignment  of  specific  IA  controls. 

Information  Assurance  Controls.  IA  controls  protect  and  defend  the  integrity, 
confidentiality,  and  availability  of  information  and  information  systems  and 
include  user  IA  awareness  training,  security  clearance  documentation,  and  user 
activity  monitoring. 

This  report  will  focus  on  IA  controls  for  four  of  the  six  interagency  purchases 
selected: 

•  U.S.  Army  Reserve  Command  (USARC)  used  Military 

Interdepartmental  Purchase  Request  (MIPR)  No.  MIPR04CIBER037 


'Goods  are  tangible  products,  such  as  computer  hardware  or  software. 

2Services  are  work  performed  by  a  contractor  to  update,  implement,  or  change  an  already  established 
system,  such  as  systems  integration  or  administrative  tasks. 
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to  pay  the  balance  owed  on  an  existing  interagency  agreement, 
allowing  the  command  to  rebid  for  network  services  using  traditional 
acquisition  processes. 


•  Space  and  Naval  Warfare  Systems  Command  (SPAWARSYSCOM), 
used  MIPR  No.  N0003904IPFLD36  to  purchase  a  systems  integration 
to  ensure  that  communications  and  advanced  command  hardware  meet 
requirements. 

•  Naval  Education  and  Training  Command  (NETC)  used  MIPR 

No.  N6804504MPAC202  to  fund  the  procurement  and  installation  of 
5,000  computer  workstations,  including  physical  connections,  network 
configuration,  de-installation,  on-site  data  wiping,  and 
disposal/decommissioning  of  existing  computers. 

•  Air  and  Space  Expeditionary  Force  Center  (AEFC)  used  MIPRs 
No.  DD44809N401228  and  DD44809N401229  to  purchase  on-site 
Continuity  of  Operations  equipment  and  off-site  backup  equipment. 


Objectives 


Our  overall  audit  objective  was  to  evaluate  DoD  and  Service  CIO  processes  for 
managing  IT  goods  and  services  obtained  through  interagency  agreements  and 
determine  whether  those  processes  adequately  addressed  information  security. 
Specifically,  we  detennined  whether  DoD  and  Service  CIOs  followed  DoD  and 
Federal  policies  for  proper  certification  and  accreditation,  risk  assessment,  and 
user  access  permissions  related  to  DoD  information  systems.  We  also  reviewed 
the  managers’  internal  control  program  as  it  related  to  the  overall  objective.  See 
Appendix  A  for  a  discussion  of  the  scope  and  methodology  and  Appendix  B  for 
prior  coverage  related  to  the  objectives. 


Managers’  Internal  Control  Program 


DoD  Directive  5010.38,  “Management  Control  (MC)  Program,”  August  26,  1996, 
and  DoD  Instruction  5010.40,  “Management  Control  (MC)  Program  Procedures,” 
August  28,  1996,  require  DoD  organizations  to  implement  a  comprehensive 
system  of  management  controls  that  provides  reasonable  assurance  that  programs 
are  operating  as  intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  the  Review  of  the  Managers’  Internal  Control  Program.  We 

reviewed  the  adequacy  of  management  controls  over  DoD  Component  IT 
resources.  Specifically,  we  reviewed  USARC,  SPAWARSYSCOM  and  Space 
and  Naval  Warfare  Systems  Center  (SSC)  San  Diego,  NETC,  and  AEFC 
management  controls  over  IT  funding  and  IA.  In  addition,  we  reviewed 
management’s  self-evaluation  applicable  to  those  controls. 
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Adequacy  of  Management  Controls.  We  reviewed  material  management 
control  weaknesses  for  the  four  sites  visited,  as  defined  by  DoD 
Instruction  5010.40.  The  USARC,  SPAWARSYSCOM,  and  SSC  San  Diego 
management  controls  for  coordinating,  documenting,  and  tracking  IA  training 
completion  were  not  adequate  to  ensure  that  training  was  provided  to  all 
personnel  in  accordance  with  DoD  Directive  8570.1,  “Information  Assurance 
Training,  Certification,  and  Workforce  Management,”  August  15,  2004.  The 
USARC,  SPAWARSYSCOM,  and  SSC  San  Diego  management  controls  for 
verifying  user  security  clearances  were  not  adequate  to  ensure  that  access  was 
granted  to  the  appropriate  personnel  in  accordance  with  the  Office  of 
Management  and  Budget  Circular  A- 130,  “Security  of  Federal  Automated 
Information  Resources,”  November  28,  2000,  and  the  Office  of  the  Under 
Secretary  of  Defense  Memorandum,  “Facilitating  Classified  Visits  within  the 
Department  of  Defense,”  April  1,  2005.  The  AEFC  management  controls  for 
monitoring  user  activity  were  not  adequate  to  detect,  report,  and  document 
attempted  or  realized  penetrations  of  information  systems  because  the  procedures 
for  doing  so  were  not  documented.  Implementing  the  recommendations  will 
correct  the  identified  weaknesses.  A  copy  of  the  report  will  be  provided  to  the 
senior  officials  responsible  for  management  controls  at  USARC, 
SPAWARSYSCOM,  and  AEFC.  We  did  not  identify  any  management  control 
weaknesses  at  NETC. 

Adequacy  of  Management’s  Self-Evaluation.  USARC  officials  did  not  identify 
IA  as  an  assessable  unit  and,  therefore,  did  not  identify  or  report  the  management 
control  weaknesses  identified  by  our  audit.  Program  Executive  Officer 
Command,  Control,  Communications,  Computers  and  Intelligence  and  Space 
officials  identified  IA  accreditation  as  part  of  an  assessable  unit  but  did  not 
perform  an  evaluation  because  management  did  not  complete  the  schedule  in  the 
management  control  plan.  AEFC  officials  identified  IT  as  an  assessable  unit; 
however,  during  its  evaluation  they  did  not  identify  the  management  control 
weaknesses  identified  by  this  audit  because  the  AEFC  evaluation  covered  a  much 
broader  area.  NETC  officials  identified  IA  as  an  assessable  unit  and,  like  the 
audit  team,  identified  no  specific  management  control  weakness  related  to  the 
unit. 
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DoD  Organization  Information 
Assurance  Management 

Officials  at  four  DoD  organizations  within  the  Army,  Navy,  and  Air  Force 
had  not  fully  implemented  the  comprehensive  IA  controls  that  are  required 
to  protect  DoD  information  systems.  Specifically: 

•  organization  users  did  not  receive  IA  awareness  training  prior  to 
being  granted  access  to  DoD  systems, 

•  user  security  clearances  were  not  verified,  and 

•  user  activity  reviews  were  not  conducted. 

DoD  organization  officials  did  not  fully  implement  IA  controls  because  IA 
roles  and  responsibilities  were  unclear  and  current  operations  were  not 
documented.  As  a  result,  the  integrity,  confidentiality,  and  availability  of 
DoD  operational  data  and  IT  systems  cannot  be  guaranteed. 

Information  Assurance  Controls 

Officials  at  four  DoD  organizations  within  the  Anny,  Navy,  and  Air  Force  had 
not  fully  implemented  comprehensive  IA  controls  that  are  required  to  protect 
DoD  information  systems.  DoD  Directive  8500.1,  “Information  Assurance  (IA),” 
October  24,  2002,  certified  current  as  of  November  21,  2003,  assigns 
responsibility  to  DoD  Component  Heads  for  developing  and  implementing  IA 
programs  focused  on  securing  the  integrity,  confidentiality,  and  availability  of 
DoD  information  and  information  systems.  Instead,  DoD  Components  rely  on 
organization- level  CIOs  to  develop  and  fully  implement  tailored,  comprehensive 
IA  programs  for  all  IT  goods  and  services  obtained,  whether  through  traditional 
acquisitions  or  interagency  agreements. 

Information  Assurance  Awareness  Training.  DoD  Directive  8570.1 
“Information  Assurance  Training,  Certification,  and  Workforce  Management,” 
August  15,  2004,  requires  that  all  authorized  users,  including  contractors,  receive 
IA  awareness  training  as  a  condition  of  access  to  any  DoD  system  and,  thereafter, 
complete  annual  IA  refresher  training. 

From  May  through  August  2005,  we  included  in  our  USARC  selection  for  review 
any  Government  or  contract  official  with  access  to  or  responsibility  for  the 
existing  interagency  agreement  that  was  paid-in-full  using  MIPR 
No.  MIPR04CIBER037.  Additionally,  from  June  through  August  2005,  we 
included  in  our  SPA  WARS  YSCOM  and  SSC  San  Diego  selection  for  review  any 
Government  or  contract  official  with  access  to  or  responsibility  for  the  systems 
integration  using  MIPR  No.  N0003904IPFLD36. 

USARC  and  SPAWARSYSCOM,  and  SSC  San  Diego  system  users  did  not 
receive  IA  awareness  training  prior  to  being  granted  access  to  the  systems 
because  USARC,  SPAWARSYSCOM,  and  SSC  San  Diego  officials  did  not 
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effectively  coordinate,  document,  and  track  IA  training  for  all  personnel  and  IT 
users. 

US  ARC  officials  could  not  provide  completed  training  forms  for  8  of  the 
15  contractor  personnel  (53  percent)  reviewed  because  USARC  Headquarters  and 
USARC  Enterprise  Service  Activity  (ESA)  personnel  did  not  clearly  establish 
who  was  responsible  for  retaining  IA  training  records  and  verifying  completion. 
USARC  Headquarters  and  USARC  ESA  officials  should  identify  and  assign 
specific  roles  and  responsibilities  for  implementing  the  USARC  IA  awareness 
training  program. 

SPAWARSYSCOM  and  SSC  San  Diego  officials  could  not  provide  IA  training 
documents  for  any  of  the  seven  contract  personnel  reviewed  because  officials  did 
not  clearly  establish  responsibility  for  ensuring  that  IA  training  was  completed  by 
all  personnel,  including  contractors.  SPAWARSYSCOM  and  SSC  San  Diego 
officials  should  identify  and  assign  specific  roles  and  responsibilities  for 
implementing  the  SPAWARSYSCOM  and  SSC  San  Diego  IA  awareness  training 
program. 

USARC,  SPAWARSYSCOM,  and  SSC  San  Diego  personnel  should  improve 
their  IA  awareness  training  programs  for  all  employees  and  contractors  so  that  all 
Government  and  contract  personnel  are  aware  of  their  security  roles  and 
responsibilities  and  understand  the  potential  threats  to  DoD  systems  before  they 
gain  access  to  information  systems. 

User  Access  Controls.  DoD  organization  officials  did  not  adequately  verify  user 
security  clearances  or  conduct  user  activity  reviews. 

User  Security  Clearances.  The  Office  of  Management  and  Budget 
Circular  A-130,  “Security  of  Federal  Automated  Infonnation  Resources,” 
November  28,  2000,  requires  that  individual  security  clearances  be  verified  prior 
to  authorizing  personnel  access  to  IT  systems,  and  periodically  thereafter. 

Further,  the  Office  of  the  Under  Secretary  of  Defense  Memorandum,  “Facilitating 
Classified  Visits  within  the  Department  of  Defense,”  April  1,  2005,  requires  that 
the  Joint  Personnel  Adjudication  System  (JPAS)  be  used  to  verify  personnel 
security  clearances  for  visitors  requiring  access  to  classified  infonnation. 

The  four  DoD  organizations  reviewed  had  developed  procedures  for  verifying  the 
identity,  personnel  security  clearance,  and  need-to-know  for  all  visitors  prior  to 
giving  authorized  access  to  IT  systems.  However,  two  of  the  four  organizations, 
USARC  and  SPAWARSYSCOM,  did  not  fully  implement  the  procedures 
developed  and,  as  a  result,  were  not  adequately  verifying  user  security  clearances. 

USARC  Headquarters  and  USARC  ESA  officials  did  not  clearly  establish 
responsibility  for  user  security  clearance  verification.  For  example,  USARC  ESA 
and  USARC  Headquarters  officials  could  not  provide  JPAS  security  verification 
for  6  of  the  15  contractors  reviewed.  USARC  officials  provided  visit 
authorizations  for  some  users  and  JPAS  verifications  for  others.  Not  only  was 
there  confusion  regarding  which  officials  were  responsible  for  verifying  which 
users,  but  also  regarding  the  required  documents  and  procedures  to  be  used. 
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US  ARC  officials  should  identify  and  assign  specific  roles  and  responsibilities  for 
verifying  USARC  user  security  clearances. 

Although  SPAWARSYSCOM  and  SSC  San  Diego  officials  verified 
contract  agency  facility  clearances3  by  confirming  that  each  visit  request  was 
necessary,  they  did  not  adequately  verily  that  individual  security  clearances4  were 
current,  nor  did  they  validate  each  using  JPAS  because  the  procedures  were 
unclear  and  not  documented.  This  current  process  fully  relies  on  the  contract 
agency  to  provide  accurate  information  on  individual  contractors  who  may 
change  during  the  course  of  a  project.  SPAWARSYSCOM  and  SSC  San  Diego 
officials  should  define  specific  responsibilities  for  verifying  individual  security 
clearance  information  and  use  the  JPAS  to  validate  individual  clearance 
information. 

User  Activity  Reviews.  DoD  Instruction  8500.2,  “Information  Assurance 
(IA)  Implementation,”  February  6,  2003,  requires  that  DoD  Component  IA 
programs  detect,  report,  and  document  attempted  or  realized  penetrations  of  DoD 
information  systems  and  include  appropriate  countermeasures  or  corrective 
actions.  The  National  Institute  of  Standards  and  Technology  Special 
Publication  800-12,  “An  Introduction  to  Computer  Security,”  October  1995, 
recommends  periodic  monitoring  of  audit  logs  to  identify  unauthorized  use. 

While  three  of  the  four  DoD  organizations  reviewed  had  developed  user 
activity  monitoring  programs  to  protect  their  systems,  AEFC  did  not  fully 
implement  a  user  activity  monitoring  program  because  specific  procedures  were 
not  documented  and  a  formal,  recurring  monitoring  schedule  had  not  been 
developed.  Instead,  AEFC  officials  stated  they  informally  review  the  audit  logs 
three  times  a  week  for  suspicious  activity.  These  procedures  rely  on  infinite 
pennanency  in  personnel  positions  and  consistent  memory  to  periodically  review 
the  logs.  AEFC  officials  should  develop  standard  written  procedures  for 
monitoring  user  activity  and  establish  a  schedule  for  reviewing  system  audit  logs 
that  will  help  protect  organization  infonnation  and  IT  systems.  Without  such  a 
monitoring  system,  the  AEFC  organization  systems’  first  line  of  defense  may  be 
weakened. 


Conclusion 


The  integrity,  confidentiality,  and  availability  of  DoD  operational  data  and  IT 
systems  cannot  be  guaranteed  because  IA  awareness  training  programs  were  not 
fully  implemented  and  monitored,  user  security  clearances  were  not  adequately 
verified,  and  user  activity  reviews  were  not  conducted  regularly.  Without  proper 
training  implementation  and  recording,  the  integrity  of  DoD  systems  cannot  be 
guaranteed  because  users  may  not  be  aware  of,  and  strictly  adhere  to,  the 
standards  of  conduct  necessary  to  protect  the  information.  Additionally,  if  user 


facility  clearances  are  granted  to  an  entire  contractor  facility,  based  on  an  investigation  verifying  that  the 
individuals  who  run,  own,  and  manage  the  facility  have  been  cleared. 

individual  security  clearances  are  granted  to  individual  personnel,  based  on  background  investigations  and 
personal  interviews. 
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security  clearances  are  not  adequately  verified,  then  the  confidentiality  of  secretly 
disclosed  or  closely  held  organization  infonnation  may  be  compromised  because 
the  information  may  be  released  to  individuals  who  are  not  properly  cleared. 
Furthermore,  if  user  activity  reviews  are  not  conducted  regularly,  users  may 
improperly  use  organization  systems  to  damage  or  impair  the  availability  of 
critical  DoD  infonnation. 

Previous  DoD  Inspector  General  (DoD  IG)  Report  No.  D2005-025,  “DoD 
FY  2004  Implementation  of  the  Federal  Information  Security  Management  Act 
for  Infonnation  Technology  Training  and  Awareness,”  December  17,  2004, 
identified  weaknesses  in  IA  training  programs  at  the  Defense  Commissary 
Agency,  Defense  Contract  Management  Agency,  and  Washington  Headquarters 
Services.  The  report  concluded  that  the  DoD  CIO  did  not  establish  adequate 
procedures  for  DoD  Components  to  monitor  IA  awareness  training.  Our  report 
identifies  similar  weaknesses  at  USARC,  SPAWARSYSCOM,  and  SSC  San 
Diego.  Our  repeated  identification  of  systemic  I A  training  weaknesses  at  various 
DoD  activities  indicates  that  the  DoD  CIO  and  individual  DoD  Components 
continue  to  ineffectively  monitor  and  implement  their  I A  training  programs.  No 
additional  recommendations  to  the  Assistant  Secretary  of  Defense  for  Networks 
and  Infonnation  Integration/DoD  Chief  Information  Officer  will  be  made  at  this 
time  because  ongoing  conective  actions  for  the  recommendations  made  in  DoD 
IG  Report  No.  D2005-025  should  correct  the  identified  problems. 


Management  Comments  on  the  Findings  and  Audit 
Response 


Management  Comments.  The  Commander,  U.S.  Anny  Reserve  Command 
stated  that  the  findings  and  recommendations  in  the  draft  report  were  incorrect  or 
were  no  longer  valid  concerns.  The  Commander,  U.S.  Anny  Reserve  Command 
stated  that  MIPR  No.  MIP04CIBER037  expired  in  September  2004  and  a  new 
contract  with  a  different  contractor  was  in  place  at  USARC  as  of  July  2005. 

Audit  Response.  USARC  comments  were  not  responsive.  The  audit  team 
focused  on  contract  personnel  that  were  retained  by  the  new  contract.  DoD 
information  assurance  policies  and  procedures  apply  to  the  new  contract  and 
contractor. 

Information  Assurance  Awareness  Training.  The  Commander,  U.S.  Anny 
Reserve  Command  stated  that  USARC  has  an  IA  training  program  in  place  which 
includes  both  initial  IA  training  (provided  in  a  Newcomer’s  Orientation)  and 
annual  refresher  training  (provided  via  Web-based  instruction).  Further,  the 
Commander,  U.S.  Anny  Reserve  Command  stated  that  the  USARC  Information 
Assurance  Security  Officer  maintains  training  certificates  for  those  who  complete 
IA  training  in  a  centralized  database.  Finally,  the  Contracting  Officer’s 
Representative  (COR)  and  the  Contractor’s  Program  Manager,  who  were  not 
interviewed  during  the  site  visit,  maintain  IA  training  records  for  contract 
personnel. 
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Audit  Response.  USARC  comments  were  not  responsive.  DoD  Directive 
8570.1  requires  that  IA  training  be  tracked  and  documentation  be  maintained  by 
the  IA  Security  Officer.  However,  the  IA  Security  Officer  had  not  tracked  or 
documented  that  the  reviewed  contractor  personnel  had  received  training. 
Additionally,  the  IA  Security  Officer  did  not  provide  infonnation  or  an  agreement 
that  either  the  COR  or  the  Contractor’s  Program  Manager  were  designated  with 
the  responsibility  to  track  and  document  IA  training.  Therefore,  USARC  could 
not  provide  assurance  that  contractor  personnel  received  the  required  IA  training 
before  accessing  DoD  information  systems. 

User  Security  Clearances.  The  Commander,  U.S.  Anny  Reserve  Command 
stated  that  USARC  Headquarters  G-2/6  Security  Office  was  responsible  for 
verifying  security  clearance  infonnation  and  has  used  JPAS  for  more  than  2  years. 
Additionally,  the  Commander,  U.S.  Army  Reserve  Command  stated  that  the 
USARC  G-2/6  Security  Office  assigned  security  managers  within  every 
directorate,  both  Headquarters  and  the  USARC  ESA.  Further,  USARC  stated  that 
the  COR  and  the  Contractor’s  Program  Manager  maintain  contractors’  security 
clearance  information. 

Audit  Response.  USARC  comments  were  not  responsive.  Neither  USARC 
Headquarters  G-2/6  Security  Office  nor  USARC  ESA  Security  Managers  could 
provide  documentation  that  verified  contractors  maintained  the  proper  security 
clearances.  It  is  the  responsibility  of  the  IA  security  office  to  verify  and  maintain 
documentation  that  contractors’  security  clearances  are  valid  and  updated. 


Recommendations,  Management  Comments,  and  Audit 
Response 


1.  We  recommend  that  the  Commander,  U.S.  Army  Reserve  Command 
direct  the  Chief  Information  Officer,  U.S.  Army  Reserve  Command  to: 

a.  Conduct  and  document  annual  information  assurance  awareness 
training,  in  accordance  with  DoD  Directive  8570.1,  “Information  Assurance 
Training,  Certification,  and  Workforce  Management,”  August  15,  2004,  for 
all  U.S.  Army  Reserve  Command  employees  and  contractors. 

b.  Within  30  days  of  report  issuance,  establish  clear  procedures  that 
designate  organization-specific  roles  and  responsibilities  for  tracking 
training  for  all  employees  and  contractors. 

c.  Within  30  days  of  report  issuance,  establish  clear  procedures 
designating  specific  roles  and  responsibilities  for  verifying  individual  security 
clearances  in  accordance  with  the  Office  of  Management  and  Budget 
Circular  A-130,  “Security  of  Federal  Automated  Information  Resources,” 
November  28,  2000,  for  all  U.S.  Army  Reserve  Command  employees  and 
contractors. 

Management  Comments.  The  Commander,  U.S.  Army  Reserve  Command  did 
not  comment  on  the  recommendations.  We  request  the  Commander,  U.S.  Army 
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Reserve  Command  provide  comments  to  the  final  report  recommendations  by 
April  24,  2006. 

2.  We  recommend  that  the  Commander,  Space  and  Naval  Warfare  Systems 
Command  direct  the  Chief  Information  Officer,  Space  and  Naval  Warfare 
Systems  Command  and  the  Chief  Information  Officer,  Space  and  Naval 
Warfare  Systems  Center  San  Diego  to: 

a.  Conduct  and  document  annual  information  assurance  awareness 
training,  in  accordance  with  DoD  Directive  8570.1,  “Information  Assurance 
Training,  Certification,  and  Workforce  Management,”  August  15,  2004,  for 
all  Space  and  Naval  Warfare  Systems  Command  employees  and  contractors. 

Management  Comments.  The  Commander,  Space  and  Naval  Warfare 
Systems  Command  concurred  with  Recommendation  2. a.  The  Commander,  Space 
and  Naval  Warfare  Systems  Command  stated  that  IA  training  is  conducted  and 
documented  for  all  personnel  to  include  contractors  with  computer  system  and 
network  access.  The  Commander,  Space  and  Naval  Warfare  Systems  Command 
works  within  the  Navy-Marine  Corps  Intranet  network.  IA  training  was 
conducted  command-wide  in  FY  2005  and  a  manual  process  is  in  place  to  track 
completion  of  IA  training.  Individuals  are  responsible  to  provide  completion 
certificates  to  the  Command  IA  Manager.  Additionally,  new  personnel  who 
require  access  to  the  Navy-Marine  Corps  Intranet  must  compete  IA  training  and 
provide  a  certificate  prior  to  receiving  access  approval.  SSC  San  Diego  conducts 
and  documents  IA  training  for  all  military,  Government,  and  contractor  personnel 
with  computer  system  and  network  access.  SSC  San  Diego  has  established  a 
Web-based  training  module  that  automatically  updates  and  tracks  training. 

Center- wide  IA  training  was  completed  on  September  30,  2005. 

Audit  Response.  Although  the  Commander,  Space  and  Naval  Warfare 
Systems  Command  concurred  with  the  recommendation,  the  comments  were  not 
responsive.  SPA  WARS  YSCOM  and  SSC  San  Diego  were  unable  to  provide 
training  documentation  for  the  contractors  reviewed  that  showed  they  had 
received  the  required  IA  training  before  accessing  the  DoD  information  system. 
The  SPA  WARS  YSCOM  current  system  does  not  ensure  that  personnel  who  are 
outside  the  Navy-Marine  Corps  Intranet  network  will  receive  IA  training  as 
required  by  DoD  Directive  8570.1. 

b.  Within  30  days  of  report  issuance,  establish  clear  procedures 
designating  organization-specific  roles  and  responsibilities  for  tracking 
training  for  all  employees  and  contractors. 

Management  Comments.  The  Commander,  Space  and  Naval  Warfare 
Systems  Command  responded  stating  that  SPAWARS YSCOM  and  SSC  San 
Diego  already  have  a  clear  procedure  in  place  to  track  training  for  all  personnel. 
Information  Assurance  Managers  for  each  system  center  within  the  claimancy  are 
appointed  in  writing  and  are  responsible  for  ensuring  training  of  individuals  with 
access  to  their  networks.  SPAWARSYSCOM  Claimancy  IA  staff  including  SSC 
San  Diego  provides  metrics  to  the  Claimant  IA  Program  Manager  on  a  monthly 
basis,  and  holds  monthly  and  quarterly  program  reviews  where  they  address 
progress  on  key  areas  such  as  compliance  with  training. 
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Audit  Response.  SPAWARSYSCOM  and  SSC  San  Diego  comments 
were  not  responsive.  Neither  SPAWARSYSCOM  nor  SSC  San  Diego  officials 
could  identify  individual  roles  and  responsibilities  to  track  training  of  all 
personnel  including  the  contractors  reviewed.  Specifically,  employees  within  the 
SPAWARSYSCOM  Claimancy  IA  staff  were  unable  to  identify  the  individual 
responsible  for  tracking  the  IA  training  of  the  seven  contract  personnel.  These 
contractors  had  access  to  DoD  infonnation  systems  before  receiving  the  required 
IA  training  outlined  in  DoD  Directive  8570.1.  Therefore,  SPAWARSYSCOM 
and  SSC  San  Diego  officials  cannot  be  assured  that  personnel  who  have  not 
received  IA  training  before  being  granted  access  to  DoD  infonnation  systems  are 
aware  of  their  security  roles  and  responsibilities  and  understand  the  potential 
threats  to  DoD  systems. 

c.  Within  30  days  of  report  issuance,  establish  clear  procedures 
designating  specific  roles  and  responsibilities  for  verifying  individual  security 
clearances  in  accordance  with  the  Office  of  Management  and  Budget 
Circular  A-130,  “Security  of  Federal  Automated  Information  Resources,” 
November  28,  2000,  for  all  Space  and  Naval  Warfare  Systems  Command 
employees  and  contractors. 

d.  Begin  using  the  Joint  Personnel  Adjudication  System  immediately 
to  validate  individual  security  clearances  in  accordance  with  the  Office  of  the 
Under  Secretary  of  Defense  Memorandum,  “Facilitating  Classified  Visits 
within  the  Department  of  Defense,”  April  1,  2005. 

Management  Comments.  SPAWARSYSCOM  concurred  with 
Recommendations  2.c.  and  2.d.  stating  that  SPAWARSYSCOM  will  develop  a 
policy  directive  covering  SPAWARSYSCOM  claimancy  and  supported  Program 
Executive  Offices,  which  will  establish  procedures  for  verifying  individual 
personnel  security  clearances  and  identify  specific  roles  and  responsibilities. 
SPAWARSYSCOM  estimates  completion  for  Recommendation  2.c.  by  June  30, 
2006.  Further,  SPAWARSYSCOM  and  SSC  San  Diego  are  in  the  process  of 
implementing  the  JPAS  for  the  verification  of  security  clearances.  Additionally,  a 
Security  Functional  Change  Fead  Team  will  establish  a  new  security  policy 
directive/manual  that  will  comply  with  Office  of  the  Under  Secretary  of  Defense 
Memorandum  and  Chief  of  Naval  Operations  policy  to  ensure  visitor  and  security 
clearance  information  is  verified  prior  to  authorizing  access  to 
SPAWARSYSCOM  facilities  and  classified  infonnation.  The  estimated 
completion  is  April  1,  2006. 

3.  We  recommend  that  the  Commander,  Air  and  Space  Expeditionary  Force 
Center  direct  the  Systems  Administrator,  Air  and  Space  Expeditionary 
Force  Center  to: 

a.  Deactivate  inactive,  suspended,  and  terminated  accounts 
immediately. 

b.  Review  audit  logs  for  failed  and  unauthorized  user  attempts  to 

log  in. 
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c.  Document  consistent  procedures  that  will  help  to  implement  the 
deactivation  of  inactive,  suspended,  and  terminated  accounts  and  establish  a 
schedule  to  review  audit  logs  on  no  less  than  a  weekly  basis  for  failed  and 
unauthorized  user  attempts  to  log  in. 

Management  Comments.  The  Commander,  Air  and  Space  Expeditionary  Force 
Center  concurred  and  ordered  that  all  inactive,  suspended,  or  terminated  accounts 
be  deactivated  immediately,  effective  January  13,  2006.  Additionally,  the  Air 
Force  response  stated  that  the  AEFC  Commander  ordered  reviews  of  all  system 
access  logs  under  the  control  of  AEFC  to  be  performed  and  annotated  in  a  System 
Information  Assurance  Log  on  a  weekly  basis,  effective  January  11,  2006. 

Finally,  the  Air  Force  response  stated  that  the  AEFC  Commander  ordered 
development  of  permanent  policy  and  procedures  that  address  monitoring  user 
activity  and  established  a  schedule  for  reviewing  system  access  on  a  weekly  basis. 
According  to  the  Air  Force  response,  policy  documentation  is  due  to  the  AEFC 
Commander  for  review  and  approval  by  February  15,  2006. 
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Appendix  A.  Scope  and  Methodology 


We  met  with  DoD  Office  of  Inspector  General,  Contract  Management 
officials  to  gather  information  regarding  their  project,  “Audit  of  DoD 
Purchases  Through  the  General  Service  Administration,”  (Project 
No.  D2004-D000CF-0238.000).  From  these  meetings  we  obtained  and 
reviewed  documentation  and  working  papers  to  identify  IT  goods  and  services 
worth  at  least  $100,000  that  were  purchased  through  interagency  agreements. 
We  selected  the  following  eight  MIPRs  used  by  six  DoD  organizations  for 
review: 

•  USARC  used  MIPR  No.  MIPR04CIBER037  to  pay  the  balance 
($2,135,81 1)  on  an  existing  interagency  agreement,  allowing  the 
command  to  re-bid  for  Army  Reserve  Network  services  using  traditional 
acquisition  processes. 

•  SPAWARSYSCOM  used  MIPR  No.  N0003904IPFLD36  to  purchase  a 
$1,699,021  systems  integration  to  ensure  that  communications  and 
advanced  command  hardware  meet  requirements. 

•  NETC  used  MIPR  No.  N6804504MPAC202  to  fund  an  $8,000,000 
procurement  and  installation  for  5,000  computer  workstations  at  33  sites, 
including  physical  connections,  network  configuration,  de-installation, 
on-site  data  wiping,  and  disposal/decommissioning. 

•  AEFC  used  MIPRs  No.  DD44809N401228  and  DD44809N401229  to 
purchase  on-site  Continuity  of  Operations  equipment  for  $40,143  and 
off-site  backup  equipment  for  $172,246. 

•  Commander,  Naval  Reserve  Forces  Command  used  MIPR 

No.  N0007204MP34275  to  procure  Defense  Message  System  equipment 
valued  at  $706,324. 

•  U.S.  Southern  Command  used  MIPRs  No.  MIPR4F21K60065  and 
MIPR4M21T60129  to  purchase  software  integration  and  technical 
services  totaling  $7,500,000  for  the  Logistics  Command  and  Control 
System  in  Colombia.  However,  we  did  not  visit  U.S.  Southern  Command 
in  Miami,  Florida,  because  all  documents,  hardware,  and  software  related 
to  MIPRs  No.  MIPR4F2 1K60065  and  MIPR4M21T60129  at  the  U.S. 
Southern  Command  were  controlled  by  the  Colombian  government,  and 
therefore  outside  of  our  scope. 

We  met  with  the  DoD  and  Service  CIOs  to  gather  infonnation  regarding  their 
management  of  interagency  agreements,  specifically  our  selected  purchases,  and 
identify  the  implemented  IA  requirements  for  each  Service.  Additionally,  we  met 
with  Security  officials  from  the  DoD  Office  of  Inspector  General  to  identify 
information  security  procedures. 

We  reviewed  Federal  and  DoD  policy  to  identify  the  procedures  established  for 
DoD  Component  IA  programs,  including  IA  training,  user  access,  certification 
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and  accreditation,  and  risk  assessment.  Specifically,  we  reviewed  DoD  Directive 
8500.1,  “Information  Assurance  (IA),”  October  24,  2002,  certified  current  as  of 
November  21,  2003,  to  gather  overall  IA  requirement  information  and  determine 
DoD  Component  heads’  roles  and  responsibilities  for  IA  programs. 

Information  Assurance  Training.  We  reviewed  DoD  Directive  8570.1, 
“Information  Assurance  Training,  Certification,  and  Workforce  Management,” 
August  15,  2004,  to  identify  IA  training  requirements  for  DoD  employees  and 
contractors. 

User  Security  Clearance  Verification.  We  reviewed  the  Office  of  Management 
and  Budget  Circular  A- 130,  “Security  of  Federal  Automated  Information 
Resources,”  November  28,  2000,  to  determine  existing  requirements  for  verifying 
individual  security  clearances  prior  to  providing  authorized  access  to  DoD 
systems.  Additionally,  we  reviewed  the  Office  of  the  Under  Secretary  of  Defense 
Memorandum,  “Facilitating  Classified  Visits  within  the  Department  of  Defense,” 
April  1,  2005,  which  better  defines  the  required  security  clearance  verification 
system  to  be  used. 

User  Activity  Monitoring.  We  reviewed  DoD  Instruction  8500.2,  “Information 
Assurance  (IA)  Implementation,”  February  6,  2003,  and  the  National  Institute  of 
Standards  and  Technology  Special  Publication  800-12,  “An  Introduction  to 
Computer  Security,”  October  1995,  to  determine  the  recommended  monitoring 
procedures  for  tracking  user  activity  on  DoD  systems  and  networks. 

We  conducted  interviews  with  I  A,  system  administration,  security,  and 
certification  and  accreditation  officials  at  the  following  sites  to  gather  detailed 
information  on  the  IA  procedures  each  DoD  Component  developed  and 
implemented,  related  to  the  six  selected  MIPRs: 

•  USARC  in  Fort  McPherson,  Georgia,  and  USARC  ESA  in 
Peachtree  City,  Georgia; 

•  SPAWARSYSCOM  Headquarters  and  SPAWAR  Systems  Center  in 
San  Diego,  California; 

•  NETC  Headquarters,  Naval  Air  Station  Pensacola  and  the  Center  for 
Naval  Leadership,  Naval  Base  Corry  Station  in  Pensacola,  Florida;  Aegis 
Training  and  Readiness  Center,  Naval  Surface  Warfare  Center  Dahlgren 
Division  in  Dahlgren,  Virginia;  Navy-Marine  Corps  Intelligence  Training 
Center  in  Virginia  Beach,  Virginia;  and  the  Center  for  Naval  Aviation 
Technical  Training  Unit,  Naval  Air  Station  Oceana  in  Virginia  Beach, 
Virginia; 

•  AEFC  at  Langley  Air  Force  Base  in  Virginia;  and 

•  Commander,  Naval  Reserve  Forces  Command  in  New  Orleans, 

Louisiana. 

Additionally,  we  identified  some  conditions  during  our  site  visit  at  the 
Commander,  Naval  Reserve  Forces  Command  but,  due  to  the  condition  of  the 
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New  Orleans  area  after  Hurricane  Katrina,  no  recommendations  will  be 
forthcoming. 

During  our  interviews  with  the  identified  officials,  we  reviewed  system  security 
authorization  agreements;  training  completion  documents;  security  clearance 
verification  forms;  computer  audit  logs;  and  standard  operating  procedures  related 
to  IA  training,  user  security  clearances,  and  user  activity  monitoring  to  detennine 
whether  DoD  Components  properly  followed  Federal  and  DoD  guidance. 
Additionally,  we  used  judgmental  samples  of  personnel  involved  with  the  IT 
goods  or  services  purchased  to  test  whether  each  Component’s  user  access 
procedures  were  in  accordance  with  applicable  laws. 

We  perfonned  this  audit  from  April  2005  through  December  2005  in  accordance 
with  generally  accepted  government  auditing  standards. 

Use  of  Computer-Processed  Data.  We  relied  on  computer-processed  event  or 
audit  logs  generated  by  the  DoD  Component  infonnation  systems.  We  reviewed 
the  infonnation  in  the  event  or  audit  logs  for  compliance  with  Federal  and  DoD 
guidance,  but  we  did  not  assess  the  validity  or  accuracy  of  the  systems  used  by 
the  DoD  Components  to  generate  the  data. 

Government  Accountability  Office  High-Risk  Area.  The  Government 
Accountability  Office  (GAO)  has  identified  several  high-risk  areas  in  DoD.  This 
report  provides  coverage  of  the  Protecting  the  Federal  Government’s  Information 
Systems  and  the  Nation’s  Critical  Infrastructures  high-risk  areas. 
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Appendix  B.  Prior  Coverage 


During  the  last  5  years,  GAO,  DoD  IG,  the  Army  Audit  Agency,  the  Naval  Audit 
Service,  and  the  Air  Force  Audit  Agency  have  issued  12  reports  discussing 
information  assurance.  Unrestricted  GAO  reports  can  be  accessed  over  the 
Internet  at  http://www.gao.gov.  Unrestricted  DoD  IG  reports  can  be  accessed  at 
http://www.dodig.mil/audit/reports. 


GAO 


GAO  Report  No.  GAO-05-362,  “Improving  Oversight  of  Access  to  Federal 
Systems  and  Data  by  Contractors  Can  Reduce  Risk,”  April  22,  2005 

GAO  Report  No.  GAO-0 1-307,  “Progress  and  Challenges  to  an  Effective 
Defense- wide  Information  Assurance  Program,”  March  30,  2001 


DoD  IG 


DoD  IG  Report  No.  D-2005-096,  “DoD  Purchases  Made  Through  the  General 
Services  Administration,”  July  29,  2005 

DoD  IG  Report  No.  D-2005-094,  “Proposed  DoD  Infonnation  Assurance 
Certification  and  Accreditation  Process,”  July  21,  2005 

DoD  IG  Report  No.  D-2005-054,  “DoD  Information  Technology  Security 
Certification  and  Accreditation  Process,”  April  28,  2005 

DoD  IG  Report  No.  D-2005-025,  “DoD  FY  2004  Implementation  of  the  Federal 
Information  Security  Management  Act  for  Infonnation  Technology  Training  and 
Awareness,”  December  17,  2004 


Army  Audit  Agency 


Anny  Audit  Agency  Report  No.  A2004-0216-FFB,  “Information  Systems 
Security  Material  Weakness,”  April  8,  2004 
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Naval  Audit  Service 


Naval  Audit  Service  Report  No.  N2004-0072,  “Operational  Controls  at  Naval  Air 
Systems  Command  Headquarters  and  Naval  Air  Warfare  Centers,”  August  16, 
2004 

Naval  Audit  Service  Report  No.  N2004-0063,  “Operational  Controls  at  Naval 
Aviation  Depots,”  July  9,  2004 

Naval  Audit  Service  Report  No.  N2004-008,  “Information  Technology 
Certification  and  Accreditation  Process,”  October  28,  2003 


Air  Force  Audit  Agency 


Air  Force  Audit  Agency  Report  No.  F2005-0002-FB4000,  “Information 
Assurance  Position  Certification  Training  for  Air  Force  Network  Professionals,” 
March  21,  2005 

Air  Force  Audit  Agency  Report  No.  F2002-0003-C06600,  “Certification  and 
Accreditation  of  Air  Force  Systems,”  April  22,  2002 
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Appendix  C.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics 
Under  Secretary  of  Defense  (Comptroller)/Chief  Financial  Officer 
Under  Secretary  of  Defense  for  Personnel  and  Readiness 

Assistant  Secretary  of  Defense  for  Networks  and  Infonnation  Integration/DoD  Chief 
Infonnation  Officer 

Chief  Information  Officer,  Office  of  the  Secretary  of  Defense 

Director,  Program  Analysis  and  Evaluation 

Director,  Defense  Procurement  and  Acquisition  Policy 


Joint  Staff 

Director,  Joint  Staff 

Chief  Information  Officer,  Joint  Staff 


Department  of  the  Army 

Assistant  Secretary  of  the  Army  for  Financial  Management  and  Comptroller 

Auditor  General,  Department  of  the  Anny 

Chief  Information  Officer,  Department  of  the  Army 

Commander,  U.S.  Army  Reserve  Command 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  for  Manpower  and  Reserve  Affairs 

Naval  Inspector  General 

Auditor  General,  Department  of  the  Navy 

Chief  Information  Officer,  Department  of  the  Navy 

Commander,  Space  and  Naval  Warfare  Systems  Command 

Commander,  Space  and  Naval  Warfare  Systems  Center  San  Diego 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  for  Financial  Management  and  Comptroller 

Auditor  General,  Department  of  the  Air  Force 

Chief  Infonnation  Officer,  Department  of  the  Air  Force 

Commander,  Air  and  Space  Expeditionary  Force  Center 
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Unified  Commands 


Chief  Information  Officer,  U.S. 
Chief  Information  Officer,  U.S. 
Chief  Information  Officer,  U.S. 
Chief  Information  Officer,  U.S. 
Chief  Information  Officer,  U.S. 
Chief  Information  Officer,  U.S. 
Chief  Information  Officer,  U.S. 
Chief  Information  Officer,  U.S. 
Chief  Information  Officer,  U.S. 


Northern  Command 
Southern  Command 
Joint  Forces  Command 
Pacific  Command 
European  Command 
Central  Command 
Transportation  Command 
Special  Operations  Command 
Strategic  Command 


Non-Defense  Federal  Organization 

Office  of  Management  and  Budget 


Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 

Senate  Committee  on  Homeland  Security  and  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Anned  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Efficiency  and  Financial  Management,  Committee 
on  Government  Reform 

House  Subcommittee  on  National  Security,  Emerging  Threats,  and  International 
Relations,  Committee  on  Government  Reform 
House  Subcommittee  on  Technology,  Information  Policy,  Intergovernmental  Relations, 
and  the  Census,  Committee  on  Government  Refonn 
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Department  of  the  Army  Comments 


DEPARTMENT  OF  THE  ARMY 
Mr*rouAKT*ps,  ukiteo  hurts  aunt  ntamt 
1«H  DSSMLSR  STREET  «m 
ro«T  McmcnsoM.  a*  wok-jo* 


AFRC-C1I 


2  February  2006 


MEMORANDUM  FOR  Program  Director,  Acquisition  and  Technology 
Management,  Inspector  General,  Department  of  Defense,  400  Army  Navy  Drive, 
Arlington,  VA  22202-4704 

SUBJECT:  Report  on  DoD  Organization  Information  Assurance  Management  of 
Information  Technology  Goods  and  Services  Acquired  Through  Interagency 
Agreements  (Project  No.  D20OSD000AS-0173) 


1.  Reference  Draft  Report,  Program  Director,  Acquisition  and  Technology 
Management,  Inspector  General,  January  6, 2006,  subject  as  above. 

2.  The  Draft  Report  referenced  above,  was  focused  on  an  interagency  purchase. 
Military  Interdepartmental  Purchaso  Request  (MIPR)  No.  MIPR04CIBER037,  that 
had  expired  In  September  2004.  At  the  time  of  the  audit,  there  was  a  different 
contract  and  contractor  on  site.  The  on  site  Contracting  Otficer 's  Representative 
(COR)  was  not  interviewed  by  the  audit  team.  The  flndlnge  and  recommendations 
presented  in  this  report  are  incorrect,  or  no  longer  valid  concerns. 

3.  Under  Information  Assurance  Awareness  Training,  the  Draft  Report  states  - 

a.  USARC  system  users  did  not  receive  IA  awareness  training  prior  to  being 
granted  access  to  the  systems  because  USARC  officials  did  not  effectively 
coordinate,  document,  and  track  IA  training  for  ail  personnel  and  IT  users. 

b.  USARC  officials  could  not  provide  completed  training  forms  for  8  of  the  16 
contractor  personnel  (53  percent)  reviewed  because  USARC  Headquarters  and 
USARC  Enterprise  Service  Activity  (ESA)  personnel  did  not  clearly  establish  who 
was  responsible  for  retaining  IA  training  records  and  verifying  completion. 
USARC  Headquarters  and  USARC  ESA  officials  should  identify  and  assign 
specific  roles  and  responsibilities  for  implementing  the  USARC  IA  awareness 
training  program. 

c.  USARC  personnel  should  improve  their  IA  awareness  training  programs  for 
all  employees  and  contractors  so  that  all  Government  and  contract  personnel  are 
aware  of  their  security  roles  and  responsibilities  and  understand  the  potential 
threats  to  DoD  systems  before  they  gain  access  to  information  systems. 


AFRCCII 

SUBJECT:  Report  on  DoO  Organization  Information  Assurance  Management  ot 
Information  Technology  Goods  and  Services  Acquired  Through  Interagency 
Agreements  (Project  No.  D20Q5-DOOOAS-0173) 


4.  Under  User  Securrty  Clearances,  the  Draft  Report  states  - 

a.  The  DoD  organizations  reviewed  had  developed  procedures  for  verifying 
the  identity,  personnel  security  clearance,  and  need-to-*now  for  all  visitors  prior 
to  giving  authorized  acoess  to  IT  systems.  However,  USARC  did  not  fully 
implement  the  procedures  developed  end,  as  a  result  were  not  adequately 
verifying  user  security  clearances. 

b.  USARC  Headquarters  and  USARC  ESA  officials  did  not  clearly  establish 
responsibility  for  user  security  clearance  verification.  For  example,  USARC  ESA 
and  USARC  Headquarters  officials  could  not  provide  Joint  Personnel 
Adjudication  System  (JPAS)  security  verification  for  6  of  the  1 S  contractors 
reviewed.  USARC  officials  provided  visit  authorizations  tor  some  users  and  Joint 
Personnel  Adjudication  System  verifications  for  others.  Not  only  was  there 
confusion  regarding  which  officials  were  responsible  for  verifying  which  users, 
but  also  regarding  the  required  documents  end  procedures  to  be  used.  USARC 
officials  should  identify  and  assign  specific  roles  and  responsibilities  for 
verifying  USARC  user  security  clearances. 

5.  In  response  to  your  findings  refersneed  in  paragraph  3  {Information  Assurance 
Awareness  Training),  the  USARC  does  have  an  IA  training  and  awareness 
program  in  place.  As  newty  assigned  personnel  arrive  within  the  USARC,  they 
ace  sent  through  the  Newcomers  Orientation  in  which  IA  user  awareness  is  part 
of  its  program  of  Instruction.  Annually  alt  usees  are  required  to  take  Web-based 
IA  awareness  training  from  one  of  two  published  locations.  Once  a  user 
completes  the  required  training,  that  certification  is  maintained  by  the  Information 
Assurance  Security  Officer  within  a  centralized  data  base.  In  addition, 
contractors  IA  training  certification  is  maintained  by  the  COR  and  the 
Contractor's  Program  Manager.  But  to  reiterate,  the  COR  was  not  Interviewed  by 
the  auditing  team. 

6.  In  response  to  your  findings  referenced  In  paragraph  4  (User  Security 
Clearances),  the  USARC  Headquarters  G-2/B  Security  Office  has  had  the 
responsibility  of  security  clearance  verification  since  the  Command  was  started. 
The  USARC  G-2/6  Security  Office  also  has  assigned  Security  Managers  within 
every  directorate,  at  the  Headquarters  and  at  USARC  ESA.  The  Security  Office 
has  also  been  using  the  JPAS  system  in  excess  of  two  years.  There  has  never 
been  a  question  within  the  command  as  »o  who  validates  security  clearances.  In 
addition,  contractors  security  clearance  information  is  maintained  by  the  COR 
and  the  Contractor's  Program  Manager.  Again,  the  COR  was  nof  Interviewed  by 
the  auditing  team. 
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AFRC-CEI 

SUBJECT!  Report  on  DoD  Organisation  Information  Assurance  Management  of 
Eniormation  Technology  GwjiJ*  and  Servicea  AequLred  Through  Inter  agency 
AgfMmemU  (Project  Ho.  0at)O5-DoOoAS-D173|[ 


7-  For  further  information  contact  Mr.  Tom  Blac^tmm.  USARC,  IAPM  at 
673-364-6246. 


CHARLES  E,  PHILUPS,. 
CulunH,  Gfd 

Deputy  Chief  of  Staff.  GZ/5 
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Department  of  the  Navy  Comments 


>4 


31  J-anmary  2006 


From.  Department  of  itic  Navy  Chief  Information  Officer 
To:  Inspector  General  Department  of  Defense 

Suhj  DEPARTMENT  OF  DEFENSE  INSPECTOR  GENERAL  DRAFT  REPORT.  “DOD 
ORGANIZATION  INFORMATION  ASSURANCE  MANAGEMENT  OF 
INFORMATION  TECHNOLOGY  GOODS  AND  SERVICES  ACQUIRED  THROUGH 
INT  ERAGENCY  AGREEMENTS,"  PROJECT  NO.  D2IM5-OOOOAS-OI73,  OF 
6  JANUARY  2006 

Enel  ( 1 1  Commander .  Spare  and  Naval  Warfare  Systems  Command  Ur  7502,  Ser  OOCVOOI  of 


23  Jan  06 


Enclosure  ( 1 )  is  endorsed  and  forwarded  If  you  have  any  questions,  please  contact 
Mr.  Dale  Chnilemen  at  <7031 602-6800 


Policy  and  Integration 
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DEPARTMENT  Of  THE  NAVY 

V*Ct  MO  «*•».  MIPMe  |TtTT«i  CIIMUI 

4X1  >*0»K  «X»>T 
WIMW.UHIIHIP 


7502 

Ser  000*001 

From:  Commander.  Space  and  Na'ul  Warfare  System*  Command 
To:  Inspector  General  Department  of  Dcfeaat 

Subi :  DODIG  DRAFT  REPORT  "DOD  ORGANIZATION  INFORMATION  ASSURANCE 
MANAGEMENT  Of  INFORMATION  TECHNOLOGY  GOODS  AND  SERVICES 
ACQUIRED  THROUGH  INTERAGENCY  AGREEMENTS"  (PROJECT  NO.  D2O05- 
DOOOAS-OI73)  DATED 6  JANUARY  2006 

Enel  ( I )  Space  and  Naval  Warfne  Systems  Command  ConaolidaSrd  Response  to 
Recommendations  an  Subject  DoDIG  Draft  Report 

1.  This  is  the  Space  and  Naval  Warfare  Systems  Command  response  to  « abject  DoDIG  report. 
We  have  reviewed  the  draft  report  and  provided  our  comments  at  Enclosure  (I). 

2.  Ques Isons  concerning  (has  conespoodence  may  be  directed  to  Mr.  John  Gempel,  Acting 
Inspector  General,  at  (619)  524-7065  or  DSN  524-7065. 


Deputy  Commander 
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SPACE  AND  NAVAL  WARFARE  SYSTEMS  COMMAND  RESPONSE  TO 
RECOMMENDATIONS  IN  DRAFT  AUDIT  REPORT  DATED  6  JANUARY  2006  ON 
“DOD  ORGANIZATION  INFORMATION  ASSURANCE  MANAGEMENT  OF 
INFORMATION  TECHNOLOGY  GOODS  AND  SERVICES  ACQUIRED  THROUGH 
INTERAGENCY  AGREEMENTS’  (PROJECT  NO.  D2MS-DOOOAS-017J) 

We  would  like  lo  reiterate,  «*  Mated  in  our  IS  December  2005  response  to  the  disosiion  draft 
provided  on  14  December  2005,  that  Che  seven  cootractco  referenced  in  (be  draft  report  were 
under  the  cognsnmce  of  SPA  WAR  Systems  Center  (SSO  San  Diego  SSC  Sen  Diego  confirmed 
rtu(  the  seven  contractors  were  tbetr  responsibility 

Keconansntdatieu  l:  The  DeDIG  recommended  that  the  Caramaader.  Space  and  Naval 
Warfare  Command  direct  the  CMef  Information  Oflkrr,  Space  and  Nasal  Warfare 
Command  and  the  Chief  Information  Officer,  Space  and  Naval  W  arfare  Systeme  Center 
Command,  San  Diego  to: 

a.  Conduct  and  docaauat  annual  Information  assurance  awareneas  training,  la 
accordance  with  Dot)  Diracflve  RST0.1,  “lofoimatlon  Assurance  Training,  CertMRattoe, 
and  W  orkforce  Management,"  August  15, 2004.  for  all  Space  and  Nasal  Warfare  Systems 
Command  employees  and  contractors. 

Response:  Space  and  Naval  Warfare  Systems  Command  (SPAWARSYSOOMt,  often 
referred  to  as  SPA  WAR  Headquarters  in  the  draft  report,  and  SSC  San  Diego  concur  and  are 
complying 

SPAWARSYSCOM  and  SSC  San  Diego  both  conduct  user  training  and  tracking 
compliance  This  is  documented  in  our  recent  compliance  reports  to  the  Naval  Network  Warfare 
Command  (NNWC)  where  SPAWAR  (as  a  claimant  yl  exceeded  the  9t  percent  training 
requirement. 

SPAWARSYSCOM  currently  conducts  and  documents  annual  Intccmanoe  Assurance 
(1A)  awareness  training  far  all  military  and  government  employees,  and  those  contractors  with 
computer  system  sad  network  access.  SPAWARSYSCOM  works  within  the  Navy  Marine 
Corps  Intranet  (NMCT)  network,  Which  does  not  have  the  ability  10  electronically  track  training 
completion.  In  response  to  an  NNWC  and  DON  CIO  mandate,  SPAWARSYSCOM  conducted 
command  wide  training  in  FY  2005,  but  was  not  provuM  with  on  electronic  method  for 
managing  completion  Currently,  a  manual  process  is  in  place  where  individuals  provide 
completion  certificates  to  the  Command  Infccmitioa  Assurance  Manager  (1AM).  All  new 
personnel  requiting  access  to  NMCI  via  a  SPAWARSYSCOM-spooaored  account  must 
complete  training  and  provide  a  completion  certificate  to  the  1AM  prior  to  receiving  access 
approval.  SPAWARSYSCOM  ta  following  NNWC  and  DON  CIO  progress  on  efforts  lo 
provide  an  automated  process  for  tracking  1A  awareness  training  at  the  Navy  Enterprise  level. 

SSC  San  Diego  currently  conducts  and  documents  annual  IA  awareness  training  for  all 
military  and  government  employees,  and  those  contractors  with  computer  system  and  network 
access  SSC  San  Diego  has  an  exlating  Access  database,  which  does  have  the  ability  to 

Enclosure  (1) 
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eln.ironica.ily  track  '  dung  completion  A  web  baaed  training  module  his  been  established  that 
automatically  updates  and  tracks  the  individuals  who  complete  the  training  Training  is  recorded 
111  SSC  San  Diego's  orpcrnlr  database  with  the  individual's  name  Mid  date  of  completion 
Annual  notification  it  automatically  generated  and  sent  via  email  to  Ike  individual  30  days  poor 
to  their  anniversary  date.  Center-wide  FY  200)  1A  training  was  completed  on 
30  September  2003. 

h.  Within  3*  days  af  report  iasuaaca,  aatabUih  dear  procedures  designating 
•rgaaDatloa-tporinc  rales  aud  responsibilities  for  tracking  traialng  for  all  amployees  aad 
con  tractate. 

Response:  SPA  WARS  YSCOM  believes  that  il  currently  has  a  clear  procethire  and  is 
complying  tAMs  are  appoint od  la  writing  for  each  command'syuecn  center  within  the 
clsimancy.  This  appointment  requires  dial  the  1AM s  meet  the  roles  and  responsibilities  outlined 
in  SPAWAR  Instruction  5239  I  "information  Assurance  Program"  dated  10  May  2005.  This 
instruction  clearly  deimeases  the  rules  and  responsibilities  at  Enclosure  1  "Rotes  and 
Responsibilities”,  Paragraph  l.e(6>.  which  states.  The  1AM  shall.  Ensiav  IS  uti/i  liciive 
annual  IA  awareness  training  and  privileged  liters  receive  appropriate  IA  training."  The  LAM  for 
etch  conunmd'systcnu  center  within  the  clmmancy  is  responsible  for  ensuring  training  of 
individuals  with  access  to  hislter  network. 

The  SPAWAR  Clsimancy  IA  staff,  including  SSC  San  Diego,  provide*  metrics  to  the 
Claimant  IA  Program  Manager  on  a  monthly  basis,  and  holds  monthly  and  quarterly  program 
reviews  when  they  address  progress  an  key  areas,  such  as  compliance  with  training 
requirements. 

c.  Within  311  days  of  report  Issuance,  establish  clear  procedures  designating  spacinc 
roles  wad  rapoasibihtlti  for  verifying  Individual  security  clearances  in  accordance  with  Ibe 
Office  of  Management  and  Budget  Circular  A-1M,  “Security  af  Federal  Automated 
Information  Resources,"  November  28,  2*00,  for  al  Spare  and  Naval  Warfare  Command 
employ  eon  and  contractors 

Response  Concur.  SPA WARSYSCOM  will  develop  a  policy  directive  to  establish  clear 
procedures  for  verifying  individual  personnel  security  clearances  and  dearly  identify  specific 
roles  and  responsibilities  The  SPAWARSYSCOM  Security  Director  will  coordinate  tins  policy 
with  tbe  SPAWARSYSCOM  LA  Manager  This  policy  directive  shall  cover  the 
SPAWARSYSCOM  dumancy  to  include  supported  PEOs. 

Estimated  date  for  completion  n  30  June  2006. 

d.  Begin  using  the  Joint  Personnel  Adjudication  System  Immediately  to  validate 
Individual  security  clearances  la  accordance  with  the  Office  of  the  Under  Secretary  of 
Defense  Memorandum.  “PaciJrtattng  Clamlfled  Visits  within  the  Department  of  Defease," 
April  1. 2005. 


2  Enclosure  i  I) 
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Response  Ccocur.  SPAWARSYSCOM  and  SSC  Sn  Diego  are  in  (be  process  of 
implementing  this  requirement  «  accordance  with  the  Office  of  the  l.’-nder  Secretary  of  Defense 
Memorandum,  "Facilitating  Classified  Visits  within  the  Deportment  of  Defense."  April  1,  200$. 

The  SPAWARSYSCOM  Security  Director  will  hold  an  off  tale  meeting  with  Site 
Security  Dsreclon  during  the  7-9  March  21)06  DoD  Security  Conference  The  Security 
Functional  Change  [xad  (FCL)  Team  will  address  the  issue  of  utilizing  JPAS  to  send/reertve 
oiriciil  visa  requests;  identify  resources  required  to  perform  this  America,  ensure  compliance 
with  Office  of  the  Under  Secretary  of  Defense  Memorandun  and  Chief  of  Naval  Operations 
(CNO)  policy  regarding  classified  visits  to  ensure  visitor's  identity  and  security  clearance 
information  is  verified  poor  to  authorizing  access  to  SPAWAR  facilities  and  to  the  classified 
information.  The  FCL  Team  will  identify  requirements,  costs,  and  establish  command  policy, 
which  will  be  incorporated  in  the  new  Security  Policy  directive,  manual 

F.sbmated  date  for  completion  ia  I  April  2006. 


3  i.ni insure  ( I  y 
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Department  of  the  Air  Force  Comments 


DEPARTMENT  OF  THE  AIR  FORCE 

WASHINGTON  3C 


OPTICS  O*  TMC  StCRETANV  .O  J  SB!  US 

MEMORANDUM  FOR  Df.PL  TS  INSPECTOR  CENFRAl  FOR  AUDITING 
OFFICE  OF  THE  INSPECTOR  GENERAL 

FROM:  SAF'XC 

1 800  Air  Force  Pentagon 
Washington  DC  2033<M8W> 

SUBJECT :  DoD  Organisation  Ir.lorm  alien  Assurance  Minagemrat  of  hrfnrrrjtico  Technology 
Gooch  and  Service*  Acquired  Through  Interagency  Agreements,  January  6,  2006 
Pn-  «i  No  D:frt«-rv>aiAS.or3 

I.  This  memo  is  in  reply  lo  cow  mcmtsrunJuni  requesting  the  Air  Force  comments  uo  subject 
report. 

1  The  AEF  Center  Commander  (  AEFOCO  concurs  with  she  audit  results  and  recomtnemUrlan 
and  lus  taken  the  follow  in  u  actions  in  accordance  with  AFI  65-402. 

a  The  Af.FC  ’CC  ordered  all  inactive,  suspended,  at  terminated  Accounts  be  deactivated 
immediately  The  AEFC  System  ownes  implemented  this  order  and  completed  all  related 
actions  on  1 3  Jan  <16  Additionally,  the  system  do  elopers  created  an  automated  script  to 
detect  and  disable  any  AFFC  system  accounts  tux  accessed  within  the  past  120  days- 

b.  The  AEFC'GC  ordered  weekly  reviews  of  ull  system  access  logs  under  the  control  of  the 
AEFC  Prriodlc  reviews  of  system  access  logs  will  he  performed  und  nnnotiloJ  n  a  System 
Infomuitim  Assurance  I IA I  Log  weekly.  The  System  IA  Log  and  besac  interim  procedures 
were  entitled  and  implemented  on  1 1  Ian  <16  Permanent,  mart  deluded  procedures  will  be 
established  and  documented  (o  ca=vc  the  review  of  .AEFC  system  access  togs  is 
ncccimpli shed  Kid  recorded  weekly  incf  2ilM  below  )  Action?  in  response  to  DoD  IG  audit 
rccnrincmUtiaiis  3(b) and  3|c)  wilt  be  completed OOrXLirTCTTtly, 

c  The  AEFCCC  ordered  dev  elapmetti  ol  peraueem  policy  and  procedures  for  mon  rioting 
uset  activity.  This  document  will  clearly  cotnmumrale  AEFC  policy  and  fully  cirtai: 
procedures  for  monitoring  user  activity  and  establish  a  schedule  for  review  ing  system  access 
logs  to  ensure  periodic  review  s  are  accomplished  and  documented  weekly  by  AEFC  system 
managers.  Document  is  due  to  AEFC  CC  for  approval  on  15  Feb  06 

)  These  rcvammcr-dntions  have  been  coordinated  with  ACC/FMFPM  and  ACC  A61A. 
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4  MyPOC  is  Col  Gary  KlabuuJc.  SAFXCIA.  DSN  42S-IS1 1  The  AEFC  POC  is  Li  Col 
Michael  Uirbiwn.  AEFC'AFH  41  DSN  575-44« 


"^LlddO—. 

MIUHAEL  W.  PETERSON.  U  Gen.  OS  AP 
Chief  nf  Warfighlmy  Inlc^iiCiuil  and 
Chief  Infarrauliim  Officer 


«: 

AEFC' EX 

&AFTA 

SAFTl 

SAF/IGt 

AFi'tt. 

AFAA'CC 
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ACC/AA 
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Team  Members 

The  Department  of  Defense  Office  of  the  Deputy  Inspector  General  for  Auditing, 
Acquisitions  and  Contract  Management  prepared  this  report.  Personnel  of  the 
Department  of  Defense  Office  of  Inspector  General  who  contributed  to  the  report 
are  listed  below. 

Mary  L.  Ugone 
Richard  B.  Jolliffe 
Jacqueline  Wicecarver 
Sean  Davis 
Therese  Kince 
Deirdre  Beal 
Benita  Holliman 
Kelly  Lesly 
Mandie  Marr 
Marcia  Hart 
Karma  Cleveland 
Matt  Price 
Meredith  DePalma 
Dana  Fink 
Jacqueline  Pugh 
Meredith  H.  Johnson 


